I'm not as familiar with C++ as I am C, but I looked up sprintf and saw it was exactly like printf but it writes its results to a string instead of stdout. Plus it doesn't look like any kind of bounds are set on protecting anyone from feeding "char str[20];" with more than it could hold. Did some nice experimenting with `perl -e 'print "A" x 21'` and got an error box from the application saying this either a corrupted file or not a valid file type. Tried many, many different sequences in that little perl string but never got a segmentation fault. (Possibly because this app is in C++, not C?) But I fired it up inside gdb (linux debugger) and when I used the list command it pointed exactly to the line with sprintf I have listed in the code above. I can even set a breakpoint on it but it doesn't seem to matter. I can't get seem to get eip?

getpid() returns the process id. And I highly doubt you will ever have process ids with 20 digits.Hence, unless you can do that, you wont be able to exploit that particular piece of code.

Ok, I'm probably wrong, but I disagree with you. However, your comment has made me look at this differently. I was trying to feed this a string of A's because I saw the "char" but I didn't think about the %d means integers. True, I'll probably never see a process id 20 digits long. But I think you may be missing that I'm trying to inject a string or digits, not actually create a process id like that. Maybe your right and I am totally lost though...